Lucene search

K
wpvulndbRodel PlasabasWPVDB-ID:E383FAE6-E0DA-4ABA-BB62-ADF51C01BF8D
HistorySep 27, 2021 - 12:00 a.m.

NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting

2021-09-2700:00:00
Rodel Plasabas
wpscan.com
10

0.001 Low

EPSS

Percentile

24.8%

The plugin does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PoC

With the Form Builder "Dev Mode” setting enabled, create a form and a field, then under the Display option of the field, add the following payload in the Custom Class Names Container field "> Save the field and form then view/preview the page with the form embed to trigger the XSS https://www.youtube.com/watch?v=Ax8QK5gEBUk

CPENameOperatorVersion
ninja-formslt3.5.8.2

0.001 Low

EPSS

Percentile

24.8%

Related for WPVDB-ID:E383FAE6-E0DA-4ABA-BB62-ADF51C01BF8D